CN105989155A - Method and device for identifying risk behaviors - Google Patents

Method and device for identifying risk behaviors Download PDF

Info

Publication number
CN105989155A
CN105989155A CN201510093725.4A CN201510093725A CN105989155A CN 105989155 A CN105989155 A CN 105989155A CN 201510093725 A CN201510093725 A CN 201510093725A CN 105989155 A CN105989155 A CN 105989155A
Authority
CN
China
Prior art keywords
risk
user
specific behavior
link
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510093725.4A
Other languages
Chinese (zh)
Other versions
CN105989155B (en
Inventor
毛仁歆
孙超
李新凯
何帝君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN201510093725.4A priority Critical patent/CN105989155B/en
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to JP2017546734A priority patent/JP6734293B2/en
Priority to PCT/CN2016/074424 priority patent/WO2016138830A1/en
Priority to PL16758446T priority patent/PL3267348T3/en
Priority to EP16758446.5A priority patent/EP3267348B1/en
Priority to ES16758446T priority patent/ES2801273T3/en
Priority to SG11201707032UA priority patent/SG11201707032UA/en
Priority to KR1020177026844A priority patent/KR102125116B1/en
Publication of CN105989155A publication Critical patent/CN105989155A/en
Priority to US15/694,030 priority patent/US10601850B2/en
Application granted granted Critical
Publication of CN105989155B publication Critical patent/CN105989155B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a method and a device for identifying risk behaviors, and is used for solving the problem of low efficiency brought by filling a rule bug in a network behavior risk identification process in the prior art. The method comprises the following steps: obtaining the behavior data of a user; selecting a specific behavior link from the behavior data; determining the risk coefficient of the specific behavior link in the behavior data; and according to the risk coefficient, judging whether the specific behavior link has risks or not.

Description

Identify the method and device of risk behavior
Technical field
The application relates to field of computer technology, particularly relates to a kind of method identifying network risks behavior and dress Put.
Background technology
Along with the development of the Internet, the network behavior of people the most frequently interweaves.In concept, network Behavior refers to that each network individuality obtains in a network, sends or the process of transmitting network data, generally includes: Information inquiry, file download, transmission mail etc..In addition to normal network behavior, network individuality have a mind to or The abnormal network behavior being not intended to make can bring loss, such as: company clerk browse during operation work without The information of pass, network customer service personnel inquire about the consumer record etc. of user in violation of rules and regulations.For tackling problem above, in order to The risk monitoring and control system of monitoring network risks behavior is arisen at the historic moment.
At present, traditional risk monitoring and control system takes to build the mode of regulation engine, to meeting rule definition Network behavior carries out feature extraction and analyzes, thus realizes the risk identification of network behavior.But, rule is drawn Hold up used rule and be usually present leak, need to be continuously increased rule and fill up the leak of rule, such nothing Doubt the workload that can increase developer, and inefficient;Additionally, above regulation engine itself needs to consume Extra computer resource, thus bring burden to computer system.
Summary of the invention
The embodiment of the present application provides a kind of method and device identifying risk behavior, to solve prior art in knowledge Because filling up the low efficiency problem that rule leak is brought during other network behavior risk, and regulation engine The problem expending extra computer resource.
The method of the identification risk behavior that the embodiment of the present application is provided, including:
Obtain the behavioral data of user;
Determine specific behavior link risk factor in described behavioral data;
According to described risk factor, it is determined that whether described specific behavior link has risk.
The device of the identification risk behavior that the embodiment of the present application is provided, including:
Acquisition module, for obtaining the behavioral data of user;
Determine module, for determining specific behavior link risk factor in described behavioral data;
According to described risk factor, determination module, for judging whether described specific behavior link has risk.
At least one technical scheme above-mentioned that the embodiment of the present application uses can reach following beneficial effect:
The embodiment of the present application is by obtaining the behavioral data of user, and chooses specific behavior from behavior data Link, determines described specific behavior link risk factor in described behavioral data by computing, finally Determine whether specific behavior link has risk according to risk factor.Above procedure is compared to regulation engine side Formula, it is not necessary to manually fill up rule leak, thus improve the efficiency of behaviorist risk identification;Additionally, above mistake Journey avoids regulation engine and consumes the drawback of extra computer resource, thus alleviates the negative of computer system Load.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes of the application Point, the schematic description and description of the application, in order to explain the application, is not intended that to the application not Work as restriction.In the accompanying drawings:
The process of the method for the identification risk behavior that Fig. 1 provides for the embodiment of the present application;
The method of the identification risk behavior that Fig. 2 provides for the embodiment of the present application is chosen specific in subordinate act data The process of behavior link;
The method of the identification risk behavior that Fig. 3 provides for the embodiment of the present application determines the mistake of short term risk coefficient Journey;
The method of the identification risk behavior that Fig. 4 provides for the embodiment of the present application determines the mistake of historical risk coefficient Journey;
The method of the identification risk behavior that Fig. 5 provides for the embodiment of the present application determines the mistake of team risk coefficient Journey;
Whether the method for the identification risk behavior that Fig. 6 provides for the embodiment of the present application judges specific behavior link There is the process of risk;
The structural representation of the device of the identification risk behavior that Fig. 7 provides for the embodiment of the present application.
Detailed description of the invention
For making the purpose of the application, technical scheme and advantage clearer, specifically real below in conjunction with the application Execute example and technical scheme is clearly and completely described by corresponding accompanying drawing.Obviously, described Embodiment is only some embodiments of the present application rather than whole embodiments.Based on the enforcement in the application Example, the every other enforcement that those of ordinary skill in the art are obtained under not making creative work premise Example, broadly falls into the scope of the application protection.
The process of the method for the identification risk behavior that Fig. 1 provides for the embodiment of the present application, comprises the steps:
S11: obtain the behavioral data of user.
In the embodiment of the present application, behavioral data is obtained by network monitoring system, and network monitoring is by net Computer in network monitors and controls, with the interconnection each user in network made on time dimension Net movable (network behavior) carries out record.Wherein, network monitoring system includes monitoring hardware or monitoring software, Network includes LAN or Metropolitan Area Network (MAN) or wide area network.Above behavioral data is stored in specific storage medium In, according to actual analysis demand, from described storage medium, it is drawn into corresponding behavioral data is analyzed.
The technical scheme of the application will be introduced herein as a example by certain electricity business website.Then this identification risk behavior Whether method has risk for the network behavior monitoring the contact staff of certain electricity business website.
S12: choose specific behavior link in subordinate act data.Behavior link refers to that multiple behavior is according to generation The combination of time order and function sequence gained, owing to behavior link is intended to closer to the real behavior of user, thus carries Rise the validity of network behavior risk identification.
The method of the identification risk behavior that Fig. 2 provides for the embodiment of the present application is chosen specific in subordinate act data The process of behavior link, in the embodiment of the present application, step S12 specifically includes following steps:
S121: choose the fragment data in special time period in subordinate act data.
Continue to use present example, it is assumed that needing the network individuality making behaviorist risk analysis is user M, then can be from Storage medium extracts the fragment data of this user M special time period in some day D, false If this special time period is 15 minutes, such as: 13:10~13:25, the most described fragment data refers to this user The M behavioral data that 13:10~13:25 is made in during this period of time in this day.
S122: obtain each behavior included in fragment data.
In the above example, it is assumed that in this sky 13:10~13:25 during this period of time in, the row that user M is made For including behavior X, behavior Y and behavior Z.
S123: each behavior be ranked up according to the sequencing of time of origin, to obtain behavior link.
In the above example, according to order after arriving first of the time of origin of behavior X, behavior Y and behavior Z Be ranked up, then the specific behavior link G obtained is: behavior X → behavior Y → behavior Z.
S13: determine specific behavior link risk factor in behavioral data.
In the embodiment of the present application, risk factor is the rare degree for expressing certain specific behavior link G Numerical value.Generally, if the probability that certain network behavior is occurred is higher, the most universal, then show this network Behavior is normal behaviour, such as: contact staff checks the behavior of retail shop's information;If certain network behavior is sent out The probability sent is relatively low, i.e. just can occur in the rarest situation, then show that this network behavior is risk behavior, Such as: contact staff inquires about the behavior of the consumer record of kith and kin.The application differentiates certain by risk factor Whether network behavior has risk.
In the embodiment of the present application, above risk factor include short term risk coefficient a, historical risk coefficient b, One or more in team risk coefficient c.Certainly, in other embodiments of the application, the wind analyzed Danger coefficient can be not limited to three of the above.Short term risk coefficient a refers to that user M is in first time period t1(such as: One day) the interior rare degree operating above specific behavior link G;Historical risk coefficient b refers to user M In total time length t that this user registers2In (interval of hour of log-on to current time) more than operation specific The rare degree of behavior link G;If the user crowd at definition user M place is user's group, then this user Group includes multiple user, then to refer to that the user at user M place organizes operation above the most specific for team risk coefficient c The rare degree of behavior link G.
Hereinafter will be described in detail the determination process of above each risk factor:
The method of the identification risk behavior that Fig. 3 provides for the embodiment of the present application determines the mistake of short term risk coefficient Journey, specifically includes following steps:
S131: obtain user M in first time period t1The operation total degree s of interior operation all behaviors link1
Continue to use present example, it is assumed that first time period t1It it is one day, then based on this user M in this day Behavioral data, the number that can count all behavior links that this user M was made in this day (is i.e. grasped Make total degree s1).In the embodiment of the present application, it is spaced t with single specific behavior link G durationG On the basis of, carry out counting user M operation total degree s in this day1, specifically, it is assumed that tGIt is 15 minutes, Then operation total degree s1=24*60/15=96.
S132: obtain user M in first time period t1The number of operations s of interior operation specific behavior link G2
In the above example, set first time period t1Be one day, then counting user M is in this sky Number of times (the i.e. number of operations s of operation specific behavior link G2), specifically, it is assumed that tGIt is 15 minutes, Then this day is divided into several time slices of 15 minutes, and judges the timeslice of each 15 minutes successively Generation specific behavior link G, if there being generation, then number of operations s whether is had in Duan2Add 1, if not occurring, Then number of operations s2Add 0, until the number of operations s obtained in this day2
S133: determine operation total degree s1With number of operations s2Ratio, to obtain short term risk coefficient a.
In the embodiment of the present application, the formula calculating short term risk coefficient a is as follows:
A=s1/s2
The method of the identification risk behavior that Fig. 4 provides for the embodiment of the present application determines the mistake of historical risk coefficient Journey, specifically includes following steps:
S134: obtain user M from hour of log-on t0To current time taTotal time length t2
Continue to use present example, it is assumed that user M hour of log-on t in the customer service system of certain electricity business website0It is: On January 1st, 2014, current time taOn January 1st, 2015, then total time length t2It is: 365 My god.
S135: obtain length t actual time of user M operation specific behavior link G3
In the embodiment of the present application, obtain length t actual time of user M operation specific behavior link G3's Step to calculate over sky, then by this user M at the behavioral data of above 365 days, daily splits into 365 Individual fragment data, and judge successively whether the fragment data in each sky has specific behavior link G occurred, if There is generation, then by length t actual time3Add 1, if not occurring, then by length t actual time3Add 0, Until obtaining actual natural law (i.e. length t actual time of user M operation specific behavior link G3)。
S136: according to total time length t2And length t actual time3, determine historical risk coefficient b.
In the embodiment of the present application, for certain old user, because of its hour of log-on relatively early, total time length t2Longer (such as: 3 years), it is assumed that this old user operates length t actual time of specific behavior link G3It is 2 My god, the most finally show that this old user is in total time length t2Inside operated the probability of this specific behavior link G relatively Low;But, for certain new user, because its hour of log-on is later, total time length t2Shorter (such as: 5 days), it is assumed that length t actual time of this new user operation specific behavior link G3It it is 2 days, the most finally Show that this new user is in total time length t2The probability inside operating this specific behavior link G is higher.It is visible, Difference between old and new users can affect the really degree of historical risk coefficient b, in order to smoothing processing the old and new use Difference between family, above step S136 specifically includes:
First, by total time length t2And length t actual time3Make smoothing processing, to obtain smooth total time Length t2kWith length t smooth actual time3k.In the embodiment of the present application, the mode of smoothing processing can be logarithm Change processes or remainderization process or evolution process etc..As a example by logarithmetics processing mode, t2k=lg t2; t3k=lg t3, certainly, the truth of a matter that logarithmetics processes is unrestricted.
Then, by length t smooth actual time2kAnd smooth total time length t3kCarry out computing, to obtain State historical risk coefficient b.In the embodiment of the present application, the formula calculating historical risk coefficient b is as follows:
B=(1+t3k)/(1+t2k)=(1+lgt3)/(1+lgt2)。
The method of the identification risk behavior that Fig. 5 provides for the embodiment of the present application determines the mistake of team risk coefficient Journey, specifically includes following steps:
S137: determine total number of users n comprised in user's group at user M place.
Continue to use present example, it is assumed that user M is the contact staff of certain electricity business website, then with this user M institute It is user's group in department, it is assumed that total number of users n that this department comprises is 20 people.
S138: in described user's group, obtains in the second time period t4Inside operated specific behavior link G's Actual user number m.
In the above example, it is assumed that the second time period t4Be one day, then this step S138 is used for adding up this use In 20 people of family M department, certain day operated number (the i.e. actual use of specific behavior link G Amount m).Specifically, obtain in this department that 20 people are at the behavioral data of this day, the most respectively Check whether above 20 users operated specific behavior link G, if having, then by reality in this sky Number of users m adds 1, if not having, then adds 0 by actual user number m, until obtaining operating spy in this sky Determine the actual user number m of behavior link G.
S139: according to total number of users n and actual user number m, determine team risk coefficient c.
In the embodiment of the present application, if the number of users that user's group of required analysis is comprised is relatively big (such as: n=1000 People), if obtaining operating the actual user number m=5 of specific behavior link G in certain day, show the most this moment The probability that specific behavior link G was operated in above user's group is relatively low;But, if the use of required analysis The number of users that family group is comprised is less (such as: n=10 people), if obtaining operating specific behavior in certain sky The actual user number m=5 of link G, shows that specific behavior link G is grasped in above user's group the most this moment The probability made is higher.Visible, between different user groups, the difference of number of users can affect team risk coefficient The really degree of c, for the difference of the number of users that smoothing processing user group is comprised, above step S139 Specifically include:
First, total number of users n and actual user number m are made smoothing processing, to obtain smooth total number of users p With smooth actual user number q.In the embodiment of the present application, the mode of smoothing processing can be logarithmetics process or Remainderization process or evolution process etc..As a example by logarithmetics processing mode, p=lg n;Q=lg m, when So, the truth of a matter that logarithmetics processes is unrestricted.
Then, smooth total number of users p and smooth actual user number q are carried out computing, to obtain described team Risk factor c.In the embodiment of the present application, the formula calculating team risk coefficient c is as follows:
C=(1+p)/(1+q)=(1+lgn)/(1+lgm).
S14: according to risk factor r, it is determined that whether specific behavior link G has risk.
In the embodiment of the present application, the formula of calculation risk coefficient r is as follows:
R=a × b × c.
Certainly, in other embodiments of the application, risk factor r=a+b+c.
Whether the method for the identification risk behavior that Fig. 6 provides for the embodiment of the present application judges specific behavior link There is the process of risk.In the embodiment of the present application, above step S14 specifically includes:
S141: by the risk factor r of each behavior link according to being ranked up from high to low.
Continue to continue to use present example, it is assumed that the behavioral data extracted is user M owning at D some day Behavior link, in this behavioral data, the behavior link monitored has 100, the most respectively according to top Method determines the risk factor r of these 100 behavior links1~r100, afterwards by risk factor r1~r100According to from height It is ranked up to low.
S142: judge the risk factor r corresponding to specific behavior link GGWhether it is in risk ranking.
In the embodiment of the present application, the ranking of risk factor is the most forward, then show that behavior link is the rarest, its Risk factor is the highest, it is assumed that risk ranking set in advance is first 3, then judge specific behavior link G institute Corresponding risk factor rGWhether it is in first 3.
S143: the most then judge that this specific behavior link G has risk.
If the risk factor r corresponding to specific behavior link GGIt is in first 3, then shows this particular row For link G, there is risk, this specific behavior link G can be announced as risk behavior afterwards, with Inform that the contact staff of certain electricity business website does not operate behavior link.
S144: if it is not, then judge that this specific behavior link G does not have risk.
If the risk factor r corresponding to specific behavior link GGIt is not in first 3, then shows that this is specific Behavior link G does not have risk.
The structural representation of the device of the identification risk behavior that Fig. 7 provides for the embodiment of the present application.Based on equally Thinking, this device includes:
Acquisition module 10, for obtaining the behavioral data of user.
Choose module 20, for choosing specific behavior link from described behavioral data.
Determine module 30, for determining specific behavior link risk factor in described behavioral data.
According to described risk factor, determination module 40, for judging whether described specific behavior link has wind Danger.
In the embodiment of the present application, choose module 20 specifically for:
Subordinate act data are chosen the fragment data in special time period.
Obtain each behavior included in fragment data.
Each behavior is ranked up according to the sequencing of time of origin, to obtain specific behavior link.
In the embodiment of the present application, risk factor includes short term risk coefficient, historical risk coefficient, team risk One or more in coefficient.
In the embodiment of the present application, determine that module 30 includes that short term risk determines module 31, be used for:
Obtain user in first time period, operate the operation total degree of all behavior links.
Obtain user in first time period, operate the number of operations of specific behavior link.
Determine the ratio of operation total degree and number of operations, to obtain short term risk coefficient.
In the embodiment of the present application, determine that module 30 includes that historical risk determines module 32, be used for:
Obtain user's total time length from hour of log-on to current time.
Obtain length actual time of user operation specific behavior link.
According to total time length and length actual time, determine historical risk coefficient.
In the embodiment of the present application, determine that module 30 includes that team risk determines module 33, be used for:
Determine the total number of users comprised in user's group at user place.
In user's group, obtain the actual user's number operating specific behavior link within the second time period.
According to total number of users and actual user's number, determine team risk coefficient.
In the embodiment of the present application, historical risk determines that module 32 includes the first smoothing processing unit, is used for:
Total time length and length actual time are made smoothing processing, to obtain smoothing total time length and smoothing Actual time length.
Length smooth actual time and smooth total time length are carried out computing, to obtain historical risk coefficient.
In the embodiment of the present application, team risk determines that module 33 includes the second smoothing processing unit, is used for:
Total number of users and actual user's number are made smoothing processing, to obtain smooth total number of users and smooth reality use Amount.
Smooth total number of users and smooth actual user's number are carried out computing, to obtain team risk coefficient.
In the embodiment of the present application, determine module 30 specifically for: by short term risk coefficient, historical risk system Number and team risk coefficient carry out product or summation, to obtain described risk factor.
In the embodiment of the present application, it is determined that module 40 specifically for:
By the risk factor of each behavior link according to being ranked up from high to low.
Judge whether the risk factor corresponding to specific behavior link is in risk ranking.
The most then judge that this specific behavior link has risk, if it is not, then judge this specific behavior link not There is risk.
The method and device that the embodiment of the present application is provided, by obtaining the behavioral data of user, and from this row For data are chosen specific behavior link, determine that described specific behavior link is at described behavior number by computing Finally according to risk factor, risk factor according to, determines whether specific behavior link has risk.Above Process is compared to regulation engine mode, it is not necessary to manually fills up rule leak, thus improves behaviorist risk identification Efficiency;Additionally, above procedure avoids regulation engine consumes the drawback of extra computer resource, thus Alleviate the burden of computer system.
The embodiment of the present application considers short-term (such as: certain sky), history (hour of log-on is to current time) And team's (user place user's group) these three factor, whether the behavior analyzing user has risk, Thus reduce the transformation (such as: team adjusts traffic direction or user and transfers) of some burst factor to The impact of the behavior link at family, and then promote accuracy and the validity of risk Activity recognition.
It is noted that the device of identification risk behavior described herein is based on risk row identified above For method, produced by same thinking, therefore the method for this identification risk behavior can continue to use above knowledge All technical characteristics of the device of other risk behavior, are the most no longer repeated.
It is otherwise noted that the computing formula of each risk factor is not limited to disclosed reality in the application Execute example, such as: in other embodiments, short term risk coefficient a=s2/s1;Historical risk coefficient B=(1+lgt2)/(1+lgt3);Team risk coefficient c=(1+lgm)/(1+lgn).Correspondingly, row is judged follow-up When whether there is risk for link, then by the risk factor of each behavior link according to arranging from low to high Sequence, to judge whether the risk factor corresponding to specific behavior link is in risk ranking.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can use complete hardware embodiment, complete software implementation or knot The form of the embodiment in terms of conjunction software and hardware.And, the present invention can use and wherein wrap one or more Computer-usable storage medium containing computer usable program code (include but not limited to disk memory, CD-ROM, optical memory etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program product according to embodiments of the present invention The flow chart of product and/or block diagram describe.It should be understood that can by computer program instructions flowchart and / or block diagram in each flow process and/or flow process in square frame and flow chart and/or block diagram and/ Or the combination of square frame.These computer program instructions can be provided to general purpose computer, special-purpose computer, embedding The processor of formula datatron or other programmable data processing device is to produce a machine so that by calculating The instruction that the processor of machine or other programmable data processing device performs produces in order to realize at flow chart one The device of the function specified in individual flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and computer or the process of other programmable datas can be guided to set In the standby computer-readable memory worked in a specific way so that be stored in this computer-readable memory Instruction produce and include the manufacture of command device, this command device realizes in one flow process or multiple of flow chart The function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes Sequence of operations step must be performed to produce computer implemented place on computer or other programmable devices Reason, thus the instruction performed on computer or other programmable devices provides in order to realize flow chart one The step of the function specified in flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
In a typical configuration, calculating equipment includes one or more processor (CPU), input/defeated Outgoing interface, network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM). Internal memory is the example of computer-readable medium.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-can be by appointing Where method or technology realize information storage.Information can be computer-readable instruction, data structure, program Module or other data.The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), dynamic random access memory (DRAM), its The random access memory (RAM) of his type, read only memory (ROM), electrically erasable are read-only Memorizer (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette tape, tape magnetic Disk storage or other magnetic storage apparatus or any other non-transmission medium, may be used to storage can be calculated The information that equipment accesses.According to defining herein, computer-readable medium does not include temporary computer-readable matchmaker Body (transitory media), such as data signal and the carrier wave of modulation.
Also, it should be noted term " includes ", " comprising " or its any other variant are intended to non-row Comprising, so that include that the process of a series of key element, method, commodity or equipment not only include of his property Those key elements, but also include other key elements being not expressly set out, or also include for this process, The key element that method, commodity or equipment are intrinsic.In the case of there is no more restriction, statement " include One ... " key element that limits, it is not excluded that including the process of described key element, method, commodity or setting Other identical element is there is also in Bei.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer journey Sequence product.Therefore, the application can use complete hardware embodiment, complete software implementation or combine software and The form of the embodiment of hardware aspect.And, the application can use and wherein include calculating one or more The computer-usable storage medium of machine usable program code (include but not limited to disk memory, CD-ROM, Optical memory etc.) form of the upper computer program implemented.
The foregoing is only embodiments herein, not in order to limit the application.For this area skill For art personnel, the application can have various modifications and variations.All institutes within spirit herein and principle Any modification, equivalent substitution and improvement etc. made, within the scope of should be included in claims hereof.

Claims (20)

1. the method identifying risk behavior, it is characterised in that including:
Obtain the behavioral data of user;
Specific behavior link is chosen from described behavioral data;
Determine described specific behavior link risk factor in described behavioral data;
According to described risk factor, it is determined that whether described specific behavior link has risk.
Method the most according to claim 1, it is characterised in that choose spy from described behavioral data Determine behavior link, specifically include:
The fragment data in special time period is chosen from described behavioral data;
Obtain each behavior included in described fragment data;
Each behavior is ranked up according to the sequencing of time of origin, to obtain described specific behavior chain Road.
Method the most according to claim 1, it is characterised in that described risk factor includes short-term wind Danger coefficient, historical risk coefficient, team risk coefficient in one or more.
Method the most according to claim 3, it is characterised in that determine that specific behavior link is described Risk factor in behavioral data, specifically includes:
Obtain described user in first time period, operate the operation total degree of all behavior links;
Obtain described user in first time period, operate the number of operations of described specific behavior link;
Determine the ratio of described operation total degree and described number of operations, to obtain described short term risk coefficient.
Method the most according to claim 3, it is characterised in that determine that specific behavior link is described Risk factor in behavioral data, specifically includes:
Obtain described user total time length from hour of log-on to current time;
Obtain length actual time of specific behavior link described in described user operation;
According to described total time length and length described actual time, determine described historical risk coefficient.
Method the most according to claim 3, it is characterised in that determine that specific behavior link is described Risk factor in behavioral data, specifically includes:
Determine the total number of users comprised in user's group at described user place;
In described user's group, obtain the actual use operating described specific behavior link within the second time period Amount;
According to described total number of users and described actual user's number, determine described team risk coefficient.
Method the most according to claim 5, it is characterised in that according to described total time length and institute State length actual time, determine described historical risk coefficient, specifically include:
Described total time length and length described actual time are made smoothing processing, long to obtain smooth total time Degree and length smooth actual time;
Length described smooth actual time and described smooth total time length are carried out computing, goes through described in obtaining History risk factor.
Method the most according to claim 6, it is characterised in that according to described total number of users and described Actual user's number, determines described team risk coefficient, specifically includes:
Described total number of users and described actual user's number are made smoothing processing, to obtain smooth total number of users peace Sliding actual user's number;
Described smooth total number of users and described smooth actual user's number are carried out computing, to obtain described team wind Danger coefficient.
Method the most according to claim 3, it is characterised in that determine that specific behavior link is described Risk factor in behavioral data, specifically includes:
Short term risk coefficient, historical risk coefficient and team risk coefficient are carried out product or summation, to obtain Described risk factor.
Method the most according to claim 1, it is characterised in that according to described risk factor, it is determined that Whether this target behavior has risk, specifically includes:
By the risk factor of each behavior link according to being ranked up from high to low;
Judge whether the risk factor corresponding to described specific behavior link is in risk ranking;
The most then judge that this specific behavior link has risk, if it is not, then judge this specific behavior link not There is risk.
11. 1 kinds of devices identifying risk behavior, it is characterised in that including:
Acquisition module, for obtaining the behavioral data of user;
Choose module, for choosing specific behavior link from described behavioral data;
Determine module, for determining specific behavior link risk factor in described behavioral data;
According to described risk factor, determination module, for judging whether described specific behavior link has risk.
12. devices according to claim 11, it is characterised in that described in choose module specifically for:
The fragment data in special time period is chosen from described behavioral data;
Obtain each behavior included in described fragment data;
Each behavior is ranked up according to the sequencing of time of origin, to obtain described specific behavior chain Road.
13. devices according to claim 11, it is characterised in that described risk factor includes short-term One or more in risk factor, historical risk coefficient, team risk coefficient.
14. devices according to claim 13, it is characterised in that described determine that module includes short-term Risk determines module, is used for:
Obtain described user in first time period, operate the operation total degree of all behavior links;
Obtain described user in first time period, operate the number of operations of described specific behavior link;
Determine the ratio of described operation total degree and described number of operations, to obtain described short term risk coefficient.
15. devices according to claim 13, it is characterised in that described determine that module includes history Risk determines module, is used for:
Obtain described user total time length from hour of log-on to current time;
Obtain length actual time of specific behavior link described in described user operation;
According to described total time length and length described actual time, determine described historical risk coefficient.
16. devices according to claim 13, it is characterised in that described determine that module includes team Risk determines module, is used for:
Determine the total number of users comprised in user's group at described user place;
In described user's group, obtain the actual use operating described specific behavior link within the second time period Amount;
According to described total number of users and described actual user's number, determine described team risk coefficient.
17. devices according to claim 15, it is characterised in that described historical risk determines module Including the first smoothing processing unit, it is used for:
Described total time length and length described actual time are made smoothing processing, long to obtain smooth total time Degree and length smooth actual time;
Length described smooth actual time and described smooth total time length are carried out computing, goes through described in obtaining History risk factor.
18. devices according to claim 16, it is characterised in that described team risk determines module Including the second smoothing processing unit, it is used for:
Described total number of users and described actual user's number are made smoothing processing, to obtain smooth total number of users peace Sliding actual user's number;
Described smooth total number of users and described smooth actual user's number are carried out computing, to obtain described team wind Danger coefficient.
19. devices according to claim 13, it is characterised in that described determine module specifically for:
Short term risk coefficient, historical risk coefficient and team risk coefficient are carried out product or summation, to obtain Described risk factor.
20. devices according to claim 11, it is characterised in that described determination module specifically for:
By the risk factor of each behavior link according to being ranked up from high to low;
Judge whether the risk factor corresponding to described specific behavior link is in risk ranking;
The most then judge that this specific behavior link has risk, if it is not, then judge this specific behavior link not There is risk.
CN201510093725.4A 2015-03-02 2015-03-02 Identify the method and device of risk behavior Active CN105989155B (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
CN201510093725.4A CN105989155B (en) 2015-03-02 2015-03-02 Identify the method and device of risk behavior
PCT/CN2016/074424 WO2016138830A1 (en) 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior
PL16758446T PL3267348T3 (en) 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior
EP16758446.5A EP3267348B1 (en) 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior
JP2017546734A JP6734293B2 (en) 2015-03-02 2016-02-24 Method and apparatus for identifying dangerous behavior
ES16758446T ES2801273T3 (en) 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior
SG11201707032UA SG11201707032UA (en) 2015-03-02 2016-02-24 Method and apparatus for identifying risky behavior
KR1020177026844A KR102125116B1 (en) 2015-03-02 2016-02-24 Methods and devices for recognizing potentially dangerous activities
US15/694,030 US10601850B2 (en) 2015-03-02 2017-09-01 Identifying risky user behaviors in computer networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510093725.4A CN105989155B (en) 2015-03-02 2015-03-02 Identify the method and device of risk behavior

Publications (2)

Publication Number Publication Date
CN105989155A true CN105989155A (en) 2016-10-05
CN105989155B CN105989155B (en) 2019-10-25

Family

ID=56848744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510093725.4A Active CN105989155B (en) 2015-03-02 2015-03-02 Identify the method and device of risk behavior

Country Status (9)

Country Link
US (1) US10601850B2 (en)
EP (1) EP3267348B1 (en)
JP (1) JP6734293B2 (en)
KR (1) KR102125116B1 (en)
CN (1) CN105989155B (en)
ES (1) ES2801273T3 (en)
PL (1) PL3267348T3 (en)
SG (1) SG11201707032UA (en)
WO (1) WO2016138830A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529288A (en) * 2016-11-16 2017-03-22 智者四海(北京)技术有限公司 Account risk identification method and device
CN107517203A (en) * 2017-08-08 2017-12-26 北京奇安信科技有限公司 A kind of user behavior baseline method for building up and device
CN108229963A (en) * 2016-12-12 2018-06-29 阿里巴巴集团控股有限公司 The Risk Identification Method and device of user's operation behavior
CN108304308A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 User behavior monitoring method, device, computer equipment and storage medium
CN108427624A (en) * 2017-02-13 2018-08-21 阿里巴巴集团控股有限公司 A kind of recognition methods of system stability risk and equipment
CN108449307A (en) * 2017-02-16 2018-08-24 上海行邑信息科技有限公司 A method of risk equipment for identification
CN113051560A (en) * 2021-04-13 2021-06-29 北京安天网络安全技术有限公司 Terminal behavior safety identification method and device

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10915643B2 (en) 2017-05-15 2021-02-09 Forcepoint, LLC Adaptive trust profile endpoint architecture
US10917423B2 (en) 2017-05-15 2021-02-09 Forcepoint, LLC Intelligently differentiating between different types of states and attributes when using an adaptive trust profile
US10447718B2 (en) 2017-05-15 2019-10-15 Forcepoint Llc User profile definition and management
US10623431B2 (en) * 2017-05-15 2020-04-14 Forcepoint Llc Discerning psychological state from correlated user behavior and contextual information
US10862927B2 (en) * 2017-05-15 2020-12-08 Forcepoint, LLC Dividing events into sessions during adaptive trust profile operations
US9882918B1 (en) 2017-05-15 2018-01-30 Forcepoint, LLC User behavior profile in a blockchain
US10999297B2 (en) 2017-05-15 2021-05-04 Forcepoint, LLC Using expected behavior of an entity when prepopulating an adaptive trust profile
US10129269B1 (en) 2017-05-15 2018-11-13 Forcepoint, LLC Managing blockchain access to user profile information
US10999296B2 (en) 2017-05-15 2021-05-04 Forcepoint, LLC Generating adaptive trust profiles using information derived from similarly situated organizations
CN107566163B (en) * 2017-08-10 2020-11-06 奇安信科技集团股份有限公司 Alarm method and device for user behavior analysis association
US10853496B2 (en) 2019-04-26 2020-12-01 Forcepoint, LLC Adaptive trust profile behavioral fingerprint
US11621974B2 (en) * 2019-05-14 2023-04-04 Tenable, Inc. Managing supersedence of solutions for security issues among assets of an enterprise network
CN110457896A (en) * 2019-07-02 2019-11-15 北京人人云图信息技术有限公司 The detection method and detection device of online access
CN111582722B (en) * 2020-05-09 2022-06-07 拉扎斯网络科技(上海)有限公司 Risk identification method and device, electronic equipment and readable storage medium
CN112866230B (en) * 2021-01-13 2023-05-16 深信服科技股份有限公司 Risk detection method, risk detection device and storage medium
CN112927068A (en) * 2021-03-30 2021-06-08 善诊(上海)信息技术有限公司 Method, device and equipment for determining risk classification threshold of business data and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070245420A1 (en) * 2005-12-23 2007-10-18 Yong Yuh M Method and system for user network behavioural based anomaly detection
US7574382B1 (en) * 2004-08-03 2009-08-11 Amazon Technologies, Inc. Automated detection of anomalous user activity associated with specific items in an electronic catalog
CN104011731A (en) * 2011-10-18 2014-08-27 迈克菲公司 User Behavioral Risk Assessment
US20140359777A1 (en) * 2013-05-31 2014-12-04 Fixmo, Inc. Context-aware risk measurement mobile device management system
CN104376266A (en) * 2014-11-21 2015-02-25 工业和信息化部电信研究院 Determination method and device for security level of application software

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7953814B1 (en) * 2005-02-28 2011-05-31 Mcafee, Inc. Stopping and remediating outbound messaging abuse
US7574832B1 (en) 2007-01-24 2009-08-18 Lieberman Phillip L Portable telescoping tower assembly
JP2010108469A (en) 2008-10-01 2010-05-13 Sky Co Ltd Operation monitoring system and operation monitoring program
US8356001B2 (en) 2009-05-19 2013-01-15 Xybersecure, Inc. Systems and methods for application-level security
US8566956B2 (en) 2010-06-23 2013-10-22 Salesforce.Com, Inc. Monitoring and reporting of data access behavior of authorized database users
WO2014088559A1 (en) * 2012-12-04 2014-06-12 Hewlett-Packard Development Company, L.P. Determining suspected root causes of anomalous network behavior
US8850517B2 (en) 2013-01-15 2014-09-30 Taasera, Inc. Runtime risk detection based on user, application, and system action sequence correlation
CN103297267B (en) * 2013-05-10 2016-05-11 中华通信***有限责任公司河北分公司 A kind of methods of risk assessment of network behavior and system
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications
US10075474B2 (en) * 2015-02-06 2018-09-11 Honeywell International Inc. Notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574382B1 (en) * 2004-08-03 2009-08-11 Amazon Technologies, Inc. Automated detection of anomalous user activity associated with specific items in an electronic catalog
US20070245420A1 (en) * 2005-12-23 2007-10-18 Yong Yuh M Method and system for user network behavioural based anomaly detection
CN104011731A (en) * 2011-10-18 2014-08-27 迈克菲公司 User Behavioral Risk Assessment
US20140359777A1 (en) * 2013-05-31 2014-12-04 Fixmo, Inc. Context-aware risk measurement mobile device management system
CN104376266A (en) * 2014-11-21 2015-02-25 工业和信息化部电信研究院 Determination method and device for security level of application software

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529288A (en) * 2016-11-16 2017-03-22 智者四海(北京)技术有限公司 Account risk identification method and device
CN108229963A (en) * 2016-12-12 2018-06-29 阿里巴巴集团控股有限公司 The Risk Identification Method and device of user's operation behavior
CN108229963B (en) * 2016-12-12 2021-07-30 创新先进技术有限公司 Risk identification method and device for user operation behaviors
CN108427624A (en) * 2017-02-13 2018-08-21 阿里巴巴集团控股有限公司 A kind of recognition methods of system stability risk and equipment
CN108427624B (en) * 2017-02-13 2021-03-02 创新先进技术有限公司 System stability risk identification method and device
CN108449307A (en) * 2017-02-16 2018-08-24 上海行邑信息科技有限公司 A method of risk equipment for identification
CN108449307B (en) * 2017-02-16 2020-12-29 上海行邑信息科技有限公司 Method for identifying risk equipment
CN107517203A (en) * 2017-08-08 2017-12-26 北京奇安信科技有限公司 A kind of user behavior baseline method for building up and device
CN107517203B (en) * 2017-08-08 2020-07-14 奇安信科技集团股份有限公司 User behavior baseline establishing method and device
CN108304308A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 User behavior monitoring method, device, computer equipment and storage medium
CN113051560A (en) * 2021-04-13 2021-06-29 北京安天网络安全技术有限公司 Terminal behavior safety identification method and device
CN113051560B (en) * 2021-04-13 2024-05-24 北京安天网络安全技术有限公司 Safety identification method and device for terminal behaviors

Also Published As

Publication number Publication date
ES2801273T3 (en) 2021-01-08
US20180013780A1 (en) 2018-01-11
JP2018510422A (en) 2018-04-12
PL3267348T3 (en) 2020-11-16
KR102125116B1 (en) 2020-06-22
EP3267348A1 (en) 2018-01-10
EP3267348A4 (en) 2018-10-31
EP3267348B1 (en) 2020-04-08
KR20170125864A (en) 2017-11-15
CN105989155B (en) 2019-10-25
SG11201707032UA (en) 2017-09-28
JP6734293B2 (en) 2020-08-05
WO2016138830A1 (en) 2016-09-09
US10601850B2 (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CN105989155A (en) Method and device for identifying risk behaviors
CN110147967B (en) Risk prevention and control method and device
US11295242B2 (en) Automated data and label creation for supervised machine learning regression testing
CN112926699A (en) Abnormal object identification method, device, equipment and storage medium
AU2021271205A1 (en) Prediction of performance degradation with non-linear characteristics
US11405416B2 (en) Method and device for identifying security threats, storage medium, processor and terminal
CN110162445A (en) The host health assessment method and device of Intrusion Detection based on host log and performance indicator
US11972382B2 (en) Root cause identification and analysis
CN106371983A (en) Method and device for alarming based on data development
US11507434B2 (en) Recommendation and deployment engine and method for machine learning based processes in hybrid cloud environments
CN117193975A (en) Task scheduling method, device, equipment and storage medium
CN115081641A (en) Model training method, estimation result prediction method, device and storage medium
CN112990583A (en) Method and equipment for determining mold entering characteristics of data prediction model
CN113569162A (en) Data processing method, device, equipment and storage medium
CN111897702B (en) Early warning processing method and device for business system, computer system and medium
AU2021204470A1 (en) Benefit surrender prediction
CN109559206A (en) A kind of regional enterprises Credit Evaluation System method, apparatus and terminal device
CN116757476A (en) Method and device for constructing risk prediction model and method and device for risk prevention and control
CN112950024A (en) Decision-making method based on hydropower station emergency command, storage medium and electronic equipment
CN116342161A (en) Data processing method, device, equipment and storage medium for customer churn
CN113657546B (en) Information classification method, device, electronic equipment and readable storage medium
CN110362627A (en) Based on the business diagnosis method and device of block chain, electronic equipment, storage medium
US20190171985A1 (en) Data assignment to identifier codes
CN115099339A (en) Fraud behavior identification method and device, electronic equipment and storage medium
CN109598364A (en) A kind of prediction technique and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200924

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200924

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: Alibaba Group Holding Ltd.

TR01 Transfer of patent right